Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 679
  • Last Modified:

domain time not syncing

i have a single domain with 3 sites.  everything is working fine except that at site 2 the time on the local domain controller will not sync with the PDC at site 1.

each site has it's own domain controller. site 1 is connected to site 2 via private line.  site 1 is connected to site 3 via VPN at our firewalls.  site 2 and 3 cannot communicate directly.

users on the domain at site 2 are pulling incorrect time from the DC at site 2.  on the DC at site 2 a w32tm /monitor recognizes a time mismatch between it and the PDC at site 1, but a resync does not fix the issue.

i went ahead and added the PDC at site 1 as a manually added peer, but resyncing still does not fix the issue...

to temporarily fix the issue i did a net time \\DC@site1 /set.  i've had to do this twice within the last 3 months.  any ideas why the DC at site 2 is not pulling time correctly?  i've checked and UDP traffic on port 123 is allowed across our private link, so its not a traffic/routing/networking issue.

many thanks in advance.
0
j_haff
Asked:
j_haff
  • 2
1 Solution
 
irweazelwallisCommented:
you need to set up windows time settings to sort this out so that resync happens automatically

you can use WMI filtering to automatically move the Time settings around

http://blogs.technet.com/b/askds/archive/2008/11/13/configuring-an-authoritative-time-server-with-group-policy-using-wmi-filtering.aspx

then add the additional settings to control how often it syncs and where from

On the PDC add these settings to the policy (where GPS External is a dns record pointing at an external time source, this could also be pool.ntp.org or something similar)

System/Windows Time Service/Time Providershide
Policy Setting Comment
Configure Windows NTP Client Enabled  
NtpServer GPSEXTERNAL,0x1
Type NTP
CrossSiteSyncFlags 2
ResolvePeerBackoffMinutes 15
ResolvePeerBackoffMaxTimes 7
SpecialPollInterval 900
EventLogFlags 3


 on the default DC policy
System/Windows Time Service/Time Providershide
Policy Setting Comment
Configure Windows NTP Client Enabled  
NtpServer time.windows.com,0x9
Type NT5DS
CrossSiteSyncFlags 2
ResolvePeerBackoffMinutes 15
ResolvePeerBackoffMaxTimes 7
SpecialPollInterval 3600
EventLogFlags 1
 

i use the following in both to control the correction

System/Windows Time Servicehide
Policy Setting Comment
Global Configuration Settings Enabled  
Clock Discipline Parameters
FrequencyCorrectRate 4
HoldPeriod 5
LargePhaseOffset 50000000
MaxAllowedPhaseOffset 300
MaxNegPhaseCorrection 172800
MaxPosPhaseCorrection 172800
PhaseCorrectRate 7
PollAdjustFactor 5
SpikeWatchPeriod 900
UpdateInterval 100
General Parameters
AnnounceFlags 10
EventLogFlags 2
LocalClockDispersion 10
MaxPollInterval 10
MinPollInterval 6
ChainEntryTimeout 16
ChainMaxEntries 128
ChainMaxHostEntries 4
ChainDisable 0
ChainLoggingRate 30
0
 
irweazelwallisCommented:
to run through the checking you can do some of the following

setup debugging on window time

http://support.microsoft.com/kb/816043

this will create log files and you can tell if its pulling the time from the right place

w32tm /query /status to see what its doing

then
w32tm /monitor /computers:dc2.domain.com,DC01.domain.com (It will show the offset by comparing with your PDC)

or with a nice easy display

w32tm /stripchart /computer:<remote computer>
0
 
userPrincipalNameCommented:
It should be pointed out the Announce Flags on your PDCe should be set to 5.  All other DCs should be set to 10.
0
 
ChiefITCommented:
Also, how far out of time are they?

MaxAllowedPhaseOffset 300

This means they will not synch unless they are +/- 5 minutes out of synchronization.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now